FERPA Final Rules Released Today

[Rodney Petersen <rpetersen () EDUCAUSE EDU>]

[Please excuse the cross-posts.  I wanted to make sure that the CIO,
ICPL, and Security communities had immediate access to this
announcement.  Please let me know if you have any questions.]

The FERPA Final Rules appeared in today's Federal Register.  See
http://edocket.access.gpo.gov/2008/pdf/E8-28864.pdf (PDF) or
http://edocket.access.gpo.gov/2008/E8-28864.htm (HTML).  You may recall
that the proposed rules addressed issues ranging from the status of SSN
and student ID number as "directory information" to matters of "health
and safety emergencies" and the "notification of parents".  We will
complete a more thorough analysis of the changes in the coming days, but
I urge you to share this announcement with your FERPA officer and legal
counsel and seek their advice regarding implementation.

A few of the important information technology and information security
items that we addressed in our written comments to the proposed rules
were addressed by the Department of Education as follows:

SSN's and Student ID - the Department said that "directory information
does not include a student's- (1) Social security number; or (2) Student
identification (ID) number, except as provided in paragraph (c) of this
section. (c) Directory information includes a student ID number, user
ID, or other unique personal identifier used by the student for purposes
of accessing or communicating in electronic systems, but only if the
identifier cannot be used to gain access to education records except
when used in conjunction with one or more factors that authenticate the
user's identity, such as a personal identification number (PIN),
password, or other factor known or possessed only by the authorized
user. (emphasis added)

Information Security - the Department said, "We acknowledge that there
are many sources available concerning information security technology
and processes. The Department does not wish to appear to endorse the
information or product of any company or organization; therefore, we
have included only Federal government sources in this notice."  They
continue, "Although FERPA does not dictate requirements for safeguarding
education records, the Department encourages the holders of personally
identifiable information to consider actions that mitigate the risk and
are reasonably calculated to protect such information. Of course, an
educational agency or institution may use any method, combination of
methods, or technologies it determines to be reasonable,  taking into
consideration the size, complexity, and resources available to the
institution; the context of the information; the type of information to
be protected (such as social security numbers or directory
information); and methods used by other institutions in similar
circumstances. The greater the harm that would result from unauthorized
access or disclosure and the greater the likelihood that unauthorized
access or disclosure will be attempted, the more protections an agency
or institution should consider using to ensure that its methods are
reasonable." (emphasis added)

Security Breach Notification -  FERPA does not require an educational
agency or institution to notify students that information from their
education records was stolen or otherwise subject to an unauthorized
release, although it does require the agency or institution to maintain
a record of each disclosure. In any case, direct student notification
may be advisable if the compromised data includes student SSNs and other
identifying information that could lead to identity theft.

Control of Access to Education Records by School Officials - the
resulting standard is to "use reasonable methods to ensure that school
officials have access to only those education records in which the
official has a legitimate educational interest."  The Department said,
"We believe that the standard of ''reasonable methods'' is sufficiently
flexible to permit each educational agency or institution to select the
proper balance of physical, technological, and administrative controls
to effectively prevent unauthorized access to education records, based
on their resources and needs."  (emphasis added)

Outsourcing - the Department said that "one way in which schools can
ensure that parties understand their responsibilities under FERPA with
respect to education records is to clearly describe those
responsibilities in a written agreement or contract."  They continued,
"Schools outsourcing information technology services, such as web-based
and e-mail services, should make clear in their service agreements or
contracts that the outside party may not use or allow access to
personally identifiable information from education records, except in
accordance with the requirements established by the educational agency
or institution that discloses the information."

Please let me know if you have any further questions.

-Rodney

--------------------------------------------------
Rodney J. Petersen, J.D.
Government Relations Officer & Security Task Force Coordinator

EDUCAUSE
1150 18th Street, N.W., Suite 1010
Washington, D.C. 20036
(202) 331-5368 / (202) 872-4200
(202) 872-4318 (FAX) 
EDUCAUSE/Internet2 Security Task Force
www.educause.edu/security
--------------------------------------------------